Exploit code for Windows Zerologon CVE-2020-1472 released; your Windows server is at risk


Exploit Released For Microsoft Windows ‘Zerologon’ Flaw aka CVE-2020-1472 which lets hackers instantly become admins on enterprise networks

Windows server versions have a very critical flaw that could be exploited by cybercriminals and hackers to gain privilege access to domain-wide servers. Unfortunately, four Proof-of-Concept codes for this Windows Zerologon Windows flaw have been publicly leaked. This means that all Windows servers are vulnerable to the Zerologon attack which lets hackers to easily infiltrate enterprise networks, gain administrative privileges, and get full access to Active Directory domain controllers on Windows servers.

The PoC code is released to exploit the vulnerability, dubbed “Zerologon.” Zerologon is a Windows vulnerability that has a unique identifier of CVE-2020-1472 with the maximum possible CVSS score of 10 out of 10, making it critical in severity.

The Zerologon flaw was addressed by Microsoft in its August 2020 security updates. However, this week at least four public PoC exploits for the flaw were released on Github, and on Friday, researchers with Secura (who discovered the flaw) published technical details of the vulnerability.

The Zerologon vulnerability in Windows servers is similar to an earlier vulnerability found by the Secura called Netlogon. However, Netlogon required the potential hacker to mount a person-in-the-middle attack for it to become an effective tool for malicious actors. The Zerologon vulnerability is doubly dangerous as the exploit allows hackers to craft an authentication token for the Netlogon Remote Protocol and allow them to reset the computer password of the Domain Controller.

The flaw stems from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for various tasks related to the user and machine authentication. Specifically, the issue exists in the usage of AES-CFB8 encryption for Netlogon sessions. The AES-CFB8 standard requires that each “byte” of plaintext has a randomized initialization vector (IV), blocking attackers from guessing passwords. However, Netlogon’s ComputeNetlogonCredential function sets the IV to a fixed 16 bits – not randomized –  meaning an attacker could control the deciphered text. But because Windows doesn’t take this requirement into consideration, an attacker can input zeros into specific fields to make taking over the domain controller in a matter of seconds, in a process detailed here.

“This attack has a huge impact: It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain,” said researchers with Secura, in a Friday whitepaper. “The attack is completely unauthenticated: The attacker does not need any user credentials.”

Microsoft has already addressed the Zerologon flaw in its August 2020 security update so Sysadmins should update their servers and enterprise version of Windows immediately.  Secura has released a tool written in Python to help Sysadmins find out whether their domain controllers are vulnerable to Zerologon attack.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments